While the recent focus has been on cyber security following a notable super fund hack and subsequent scrutiny by the Australian Prudential Regulation Authority (APRA), it’s clear that operational risks extend far beyond cyber threats. The intricate web of relationships with external asset managers and service providers presents multifaceted challenges, requiring meticulous scrutiny through operational due diligence processes. Amid evolving regulatory landscapes, emerging ESG standards, and the proliferation of non-traditional investments, ensuring operational resilience has become paramount.
Today, three notable trends are making operational due diligence (ODD) of external asset managers increasingly challenging for the typical institutional investor. The first, of course, is the much-discussed and evolving cyber threat, which is testing all players in the investment industry. The second is the rise of ESG, which is creating new risks around the claims and labels that asset managers apply to their strategies and businesses: the Securities and Exchange Commission (SEC) in the US has already showcased its willingness to clamp down, with the US$4 million fine for GSAM representing a particularly high-profile example. The third, and perhaps the most interesting day-to-day challenge for those involved in “ODD”, is the long-term shift in favour of “non-traditional” investments and greater use of alternative or even emerging investment managers.
Super funds and other investors must ensure that their internal protocols and procedures are in line with best practice. Their external asset managers and other service providers, however, must also be scrutinised with care. Investors are vulnerable to the operational failings of their selected partners. The potential damage to the investment manager and/or the institutional investor whose assets they manage can be significant. Even where the financial cost may be moderate, the reputational cost – sometimes more important in a world of instant news and pension consumer choice – can be more severe. Fines issued by regulators present a powerful example of this effect: the real price is not the cash penalty.
External asset managers and operational risk
Relationships between asset managers and their clients are inherently based on trust: investors are often left in the dark as to what actually goes on behind closed doors. Indeed, depending on the asset manager, this may be even more true of aspects of their operational framework than for their investments (on which they may well provide full transparency). Getting a sufficiently accurate picture involves carrying out targeted questionnaires, reviewing policies, checking internal control reports, examining financial statements, understanding procedures, questioning relevant teams, and even engaging with management to implement improvements.
Moreover, the uncomfortable truth is that there is no perfect control framework for an asset manager. Even in the best-case scenario, operational due diligence does still involve accepting an element of “known unknowns” and, where relevant, ensuring that the investor does not bear the brunt of prospective damage (through, for example, negotiated provisions within the investment management agreement).
The alternative investment challenge
Higher exposure to alternative asset classes, and particularly private markets, can open investors up to greater operational risks. At the risk of over-generalising, we do still observe that private market managers – despite considerable institutionalisation through recent years – tend to have less well-defined control frameworks, weaker policies and less investor-friendly procedures, on average, than their more traditional public market-focused counterparts (though shortcomings are to be found among the latter also, of course).
Investors should be careful not to assume that their asset manager has appropriate control functions in areas such as valuations, cash wires and fee calculations. This is particularly true in private markets: although many asset managers do have well-defined operating environments, we see plenty of exceptions. For example, a recent ODD exercise revealed a manager whose inadequate processes had opened them up to a phishing attack: cyber criminals had been able to wire money from one of the firm’s funds. Appropriate questions to identify vulnerabilities would include: what processes has a manager implemented to mitigate the risk of internal fraud with respect to cash movements from the fund? Has the firm adopted technology to segregate cash wire authorisation rights? Manual processes – still used by some asset managers – are both prone to failure and more easily compromised.
Private market managers have also historically been subject to a lower level of regulatory oversight. This is changing, however. Regulators around the globe are increasing their focus on managers operating in private markets, in terms of both regulatory frameworks and visible enforcement priorities. In the US, the SEC announced a new set of rules specifically focused on private fund advisers in 2023, representing a step-change in private market manager regulation. In the UK, the Financial Conduct Authority (FCA) is carrying out a review of private market valuations. Several private markets managers have recently received fines due to poorly designed compliance programs and/or practice deemed unfriendly to investors, including OEP Capital Advisors (US$4 million for the misuse of non-public information in its private equity business) and Lone Star with its affiliate Hudson Advisors (US$11.2 million for disclosure failings in relation to fees charged).
Certain regions have been more active in driving stronger practices than others. The European Union’s Alternative Investment Fund Managers Directive has normalised the practice of appointing an independent administrator to EU-domiciled private markets funds. However, many non-EU-domiciled vehicles, it should be noted, continue to be internally administered.
Towards operational best practice
APRA’s focus on cyber security is warmly welcomed and deserves praise. Yet, cyber risk management does not exist in a vacuum. Operational risks – cyber and beyond, in-house and external – should be considered holistically and given appropriate prioritisation.
Through vigorous ODD, super funds can mitigate the risks they incur via their service providers. They can also develop a stronger understanding of current best practice in asset management, helping them to avoid pitfalls and even drive operational improvements among service providers that they wish to appoint: direct engagement with management is, we believe, a cornerstone of good ODD process.
Moreover, with a stronger understanding of what “good” looks like now, super funds can apply “lessons learned” to internal operations. Both excellence and errors exhibited by investment managers have relevance in-house.
Matt Siddick, senior director, operational risk solutions, bfinance.